/etc/neutron/secret.txt is world readable

root@wpz230807rc:/etc/neutron# ls -l secret.txt
-rw-r--r-- 1 root root 36 Aug 19 17:34 secret.txt
root@wpz230807rc:/etc/neutron# su - nobody -s /bin/bash
No directory, logging in with HOME=/
nobody@wpz230807rc:/$ cat /etc/neutron/secret.txt > /dev/null
nobody@wpz230807rc:/$

Confirmed; file is created world readable.

The UUID it contains is used on the relation to nova-compute to setup the shared secret for comms between the local neutron-metadata-agent and nova-api-metadata service.

Only the charm needs to be able to read it so a) it should really be in /var/lib/charm/<charm-name> and b) group and world permissions can be disabled safely

This could be used as an exploit if you had access to the local unit; crafting the correct http request using this shared secret could be used to retrieve instance metadata from the nova-api-metadata service.

Reviewed: https://review.opendev.org/687272
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-openvswitch/commit/?id=47fb279533c425ca5c5f7f3f8fd993b3fa8c1e12
Submitter: Zuul
Branch: master

commit 47fb279533c425ca5c5f7f3f8fd993b3fa8c1e12
Author: James Page <email address hidden>
Date: Tue Oct 8 12:20:59 2019 +0100

    Ensure /etc/neutron/secret.txt is not world readable

    /etc/neutron/secret.txt is used to store the UUID to configure
    the shared secret in neutron-metadata-agent and the nova-api-metadata
    service for authentication of metadata requests from instances.

    Ensure that this file can only be read by the root user.

    Change-Id: I6a18ebabade887922c13824c23ad5e0a8da74ba8
    Closes-Bug: 1847230